Egresser is a tool to enumerate outbound firewall rules, designed for
penetration testers to assess whether egress filtering is adequate from
within a corporate network. Probing each TCP port in turn, the Egresser
server will respond with the client’s source IP address and port,
allowing the client to determine whether or not the outbound port is
permitted (both on IPv4 and IPv6) and to assess whether NAT traversal is
likely to be taking place.

How it Works

The server-side
script works in combination with Iptables - redirecting all TCP traffic
to port 8080 where the ‘real’ server resides. The server-side script is
written in Perl and is a pre-forking server utilising Net::Server::Prefork,
listening on both IPv4 and IPv6 if available. Any TCP connection
results in a simple response containing a null terminated string made up
of the connecting client’s IP and port. Feel free to use Telnet to
interact with the service if you are in a restricted environment without
access to the Egresser client (our Egresser server can be found at egresser.labs.cyberis.co.uk, which you are free to use for legitimate purposes).

The
client is also written in Perl and is threaded for speed. By default it
will scan TCP ports 1-1024, although this is configurable within the
script. It is possible to force IPv4 with the ‘-4’ command line
argument, or IPv6 with ‘-6’; by default it will choose the protocol
preferred by your operating system. If you want to explicitly list all
open/closed ports, specify the verbose flag (-v), as normal output is a
concise summary of permitted ports only.

Why?

It is
recommended that outbound firewall rules are restricted within corporate
environments to ensure perimeter controls are not easily circumvented.
For example, inadequate egress filtering within an organisation would
allow a malicious user to trivially bypass a web proxy providing
filtering/AV/logging simply by changing a browser’s connection settings.
Many other examples also exist - many worms spread over SMB protocols,
malware can use numerous channels to exfiltrate data, and potentially
unauthorised software (e.g. torrent/P2P file sharing) can freely
operate, wasting corporate resources and significantly increasing the
likelihood of malicious code being introduced into the environment.

Generally,
it is recommended that all outbound protocols should be restricted,
allowing exceptions from specific hosts on a case-by-case basis. Web
browsing should be conducted via dedicated web proxies only, with any
attempted direct connections logged by the perimeter firewall and
investigated as necessary.

Egresser is a simple to use tool to
allow a penetration tester to quickly enumerate allowed ports within a
corporate environment.